Compare commits
No commits in common. "main" and "171ef655f85d25ffe4889d3b074dd110cd748ada" have entirely different histories.
main
...
171ef655f8
|
@ -12,14 +12,11 @@ homelab.
|
|||
|
||||
=== Containers
|
||||
|
||||
* Authelia
|
||||
* Jellyfin
|
||||
* Keycloak
|
||||
* NGINX
|
||||
* Jellyfin
|
||||
* OpenLDAP
|
||||
* Portainer
|
||||
* PostgreSQL
|
||||
* Radarr
|
||||
* Keycloak
|
||||
|
||||
=== Testing
|
||||
To run locally, specify the inventory file with `-i hosts`.
|
||||
|
|
|
@ -14,8 +14,3 @@ tz: "Europe/Prague"
|
|||
media:
|
||||
tv: "{{ data_folder }}/media/tv"
|
||||
movies: "{{ data_folder }}/media/movies"
|
||||
downloads:
|
||||
nzb: "{{ data_folder }}/downloads/nzb"
|
||||
torrent: "{{ data_folder }}/downloads/torrent"
|
||||
torrent_blackhole: "{{ data_folder }}/downloads/blackhole"
|
||||
music: "{{ data_folder }}/downloads/music"
|
|
@ -3,13 +3,11 @@
|
|||
roles:
|
||||
- docker
|
||||
- nginx
|
||||
- openldap
|
||||
- portainer
|
||||
- jellyfin
|
||||
- openldap
|
||||
- postgres
|
||||
- authelia
|
||||
- keycloak
|
||||
- radarr
|
||||
vars_files:
|
||||
- vault/certs/{{ base_domain }}.yml
|
||||
- vault/passwords.yml
|
||||
|
|
|
@ -1,2 +1 @@
|
|||
#!/bin/env fish
|
||||
ANSIBLE_VAULT_PASSWORD_FILE=(pass show ansible-homelab | psub) vagrant provision
|
|
@ -17,8 +17,8 @@
|
|||
ports:
|
||||
- "9091:9091"
|
||||
networks:
|
||||
- name: external
|
||||
- name: openldap
|
||||
- name: bridge
|
||||
- name: nginx-internal
|
||||
volumes:
|
||||
- "{{ data_folder }}/authelia:/config"
|
||||
- name: copy nginx endpoint conf
|
||||
|
|
|
@ -1,5 +1,14 @@
|
|||
auth_request /authelia/api/verify;
|
||||
# Basic Authelia Config
|
||||
# Send a subsequent request to Authelia to verify if the user is authenticated
|
||||
# and has the right permissions to access the resource.
|
||||
auth_request /authelia;
|
||||
# Set the `target_url` variable based on the request. It will be used to build the portal
|
||||
# URL with the correct redirection parameter.
|
||||
auth_request_set $target_url $scheme://$http_host$request_uri;
|
||||
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
|
||||
# returned by Authelia for the backends which can consume them.
|
||||
# This is not safe, as the backend must make sure that they come from the
|
||||
# proxy. In the future, it's gonna be safe to just use OAuth.
|
||||
auth_request_set $user $upstream_http_remote_user;
|
||||
auth_request_set $groups $upstream_http_remote_groups;
|
||||
auth_request_set $name $upstream_http_remote_name;
|
||||
|
@ -8,4 +17,7 @@ proxy_set_header Remote-User $user;
|
|||
proxy_set_header Remote-Groups $groups;
|
||||
proxy_set_header Remote-Name $name;
|
||||
proxy_set_header Remote-Email $email;
|
||||
error_page 401 =302 https://$http_host/authelia/?rd=$target_url;
|
||||
# If Authelia returns 401, then nginx redirects the user to the login portal.
|
||||
# If it returns 200, then the request pass through to the backend.
|
||||
# For other type of errors, nginx will handle them as usual.
|
||||
error_page 401 =302 https://auth.{{ base_domain }}/?rd=$target_url;
|
|
@ -1,17 +1,10 @@
|
|||
location ^~ /authelia {
|
||||
include /etc/nginx/snippets/proxy.conf;
|
||||
set $upstream_authelia authelia;
|
||||
proxy_pass http://$upstream_authelia:9091;
|
||||
}
|
||||
set $upstream_authelia http://authelia:9091/api/verify;
|
||||
|
||||
location = /authelia/api/verify {
|
||||
# Virtual endpoint created by nginx to forward auth requests.
|
||||
location /authelia {
|
||||
internal;
|
||||
if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) {
|
||||
return 401;
|
||||
}
|
||||
set $upstream_authelia authelia;
|
||||
proxy_pass_request_body off;
|
||||
proxy_pass http://$upstream_authelia:9091;
|
||||
proxy_pass $upstream_authelia;
|
||||
proxy_set_header Content-Length "";
|
||||
|
||||
# Timeout if the real server is dead
|
||||
|
@ -26,11 +19,11 @@ location = /authelia/api/verify {
|
|||
proxy_set_header Host $host;
|
||||
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Method $request_method;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header X-Forwarded-Host $http_host;
|
||||
proxy_set_header X-Forwarded-Uri $request_uri;
|
||||
proxy_set_header X-Forwarded-For $remote_addr;
|
||||
proxy_set_header X-Forwarded-Ssl on;
|
||||
proxy_redirect http:// $scheme://;
|
||||
proxy_http_version 1.1;
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
server {
|
||||
server_name auth.{{ base_domain }};
|
||||
listen 80;
|
||||
return 301 https://$server_name$request_uri;
|
||||
server_name auth.{{ base_domain }};
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
|
@ -9,8 +9,8 @@ server {
|
|||
listen 443 ssl http2;
|
||||
|
||||
location / {
|
||||
include /etc/nginx/snippets/proxy.conf;
|
||||
set $upstream_authelia http://authelia:9091; # This example assumes a Docker deployment
|
||||
proxy_pass $upstream_authelia;
|
||||
include /etc/nginx/snippets/proxy.conf;
|
||||
}
|
||||
}
|
|
@ -26,21 +26,12 @@ authentication_backend:
|
|||
password: {{ vault_openldap_admin_password }}
|
||||
access_control:
|
||||
default_policy: deny
|
||||
networks:
|
||||
- name: local
|
||||
networks:
|
||||
- 192.168.0.0/24
|
||||
rules:
|
||||
- domain: "*.{{ base_domain }}"
|
||||
networks:
|
||||
- local
|
||||
policy: bypass
|
||||
- domain: portainer.{{ base_domain }}
|
||||
policy: one_factor
|
||||
- domain: keycloak.{{ base_domain }}
|
||||
policy: one_factor
|
||||
- domain: radarr.{{ base_domain }}
|
||||
policy: two_factor
|
||||
- domain:
|
||||
- "{{ base_domain }}"
|
||||
- "*.{{ base_domain }}"
|
||||
- "keycloak.{{ base_domain }}"
|
||||
policy: deny
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: somerandomsecret
|
||||
|
|
|
@ -3,9 +3,6 @@
|
|||
name:
|
||||
- docker
|
||||
- python-pip
|
||||
- neovim
|
||||
- fish
|
||||
- curlie
|
||||
state: present
|
||||
update_cache: true
|
||||
- name: start
|
||||
|
@ -15,9 +12,8 @@
|
|||
- name: add user to group
|
||||
user:
|
||||
name: lukas
|
||||
groups: docker,wheel
|
||||
groups: docker
|
||||
append: true
|
||||
shell: /usr/bin/fish
|
||||
- name: install python docker
|
||||
pip:
|
||||
name:
|
||||
|
|
|
@ -12,7 +12,7 @@
|
|||
name: 'jellyfin'
|
||||
image: linuxserver/jellyfin
|
||||
networks:
|
||||
- name: external
|
||||
- name: nginx-internal
|
||||
volumes:
|
||||
- "{{ data_folder }}/jellyfin:/config"
|
||||
- "{{ media.tv }}:/data/tv"
|
||||
|
@ -29,6 +29,7 @@
|
|||
devices:
|
||||
- /dev/dri:/dev/dri
|
||||
state: started
|
||||
restart: yes
|
||||
- name: copy jellyfin nginx config
|
||||
template:
|
||||
src: jellyfin.conf.j2
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
server {
|
||||
server_name "jellyfin.{{ base_domain }}";
|
||||
listen 80;
|
||||
return 301 https://$server_name$request_uri;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
|
|
|
@ -5,9 +5,8 @@
|
|||
ports:
|
||||
- "8080:8080"
|
||||
networks:
|
||||
- name: external
|
||||
- name: postgres
|
||||
- name: openldap
|
||||
- name: nginx-internal
|
||||
env:
|
||||
"KEYCLOAK_USER": "{{ vault_keycloak_user }}"
|
||||
"KEYCLOAK_PASSWORD": "{{ vault_keycloak_password }}"
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
server {
|
||||
server_name "keycloak.{{ base_domain }}";
|
||||
listen 80;
|
||||
return 301 https://$server_name$request_uri;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
|
|
|
@ -14,11 +14,11 @@
|
|||
- name: generate self-signed certs
|
||||
import_tasks: self-signed.yml
|
||||
when: self_signed
|
||||
- name: create external bridge network
|
||||
- name: create nginx bridge network
|
||||
docker_network:
|
||||
name: external
|
||||
name: nginx-internal
|
||||
attachable: true
|
||||
internal: false
|
||||
internal: true
|
||||
state: present
|
||||
- name: copy nginx.conf
|
||||
template:
|
||||
|
@ -37,7 +37,8 @@
|
|||
name: 'nginx'
|
||||
image: nginx
|
||||
networks:
|
||||
- name: external
|
||||
- name: bridge
|
||||
- name: nginx-internal
|
||||
volumes:
|
||||
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
|
||||
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
|
||||
|
@ -53,3 +54,4 @@
|
|||
NGINX_HOST: "{{ base_domain }}"
|
||||
NGINX_PORT: '80'
|
||||
state: started
|
||||
restart: yes
|
||||
|
|
|
@ -14,8 +14,6 @@ http {
|
|||
include /etc/nginx/mime.types;
|
||||
default_type application/octet-stream;
|
||||
|
||||
log_subrequest on;
|
||||
|
||||
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
|
||||
'$status $body_bytes_sent "$http_referer" '
|
||||
'"$http_user_agent" "$http_x_forwarded_for"';
|
||||
|
|
|
@ -6,19 +6,13 @@
|
|||
loop:
|
||||
- "{{ data_folder }}/openldap"
|
||||
- "{{ data_folder }}/openldap/data"
|
||||
- name: create network
|
||||
docker_network:
|
||||
name: openldap
|
||||
attachable: true
|
||||
internal: true
|
||||
state: present
|
||||
- name: run container
|
||||
docker_container:
|
||||
name: "openldap"
|
||||
image: osixia/openldap
|
||||
hostname: openldap
|
||||
networks:
|
||||
- name: openldap
|
||||
- name: nginx-internal
|
||||
ports:
|
||||
- "389:389"
|
||||
- "636:636"
|
||||
|
@ -30,3 +24,4 @@
|
|||
LDAP_ADMIN_PASSWORD: "{{ vault_openldap_admin_password }}"
|
||||
LDAP_REMOVE_CONFIG_AFTER_SETUP: "false"
|
||||
state: started
|
||||
restart: yes
|
|
@ -0,0 +1,6 @@
|
|||
dn: dc=kucharczyk,dc=xyz
|
||||
objectclass: top
|
||||
objectclass: dcObject
|
||||
objectclass: organization
|
||||
dc: kucharczyk
|
||||
o: Homelab
|
|
@ -1,19 +0,0 @@
|
|||
- name: run container
|
||||
docker_container:
|
||||
name: 'portainer'
|
||||
image: portainer/portainer-ce
|
||||
networks:
|
||||
- name: external
|
||||
- name: openldap
|
||||
volumes:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
ports:
|
||||
- "8000:8000"
|
||||
- "9000:9000"
|
||||
state: started
|
||||
- name: copy nginx conf
|
||||
template:
|
||||
src: portainer.conf.j2
|
||||
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
|
||||
mode: "755"
|
||||
notify: reload nginx
|
|
@ -1,20 +0,0 @@
|
|||
server {
|
||||
server_name portainer.{{ base_domain }};
|
||||
listen 80;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
server_name portainer.{{ base_domain }};
|
||||
listen 443 ssl http2;
|
||||
|
||||
include /etc/nginx/snippets/authelia-endpoint.conf;
|
||||
|
||||
location / {
|
||||
include /etc/nginx/snippets/proxy.conf;
|
||||
include /etc/nginx/snippets/authelia-auth.conf;
|
||||
|
||||
set $upstream http://portainer:9000; # This example assumes a Docker deployment
|
||||
proxy_pass $upstream;
|
||||
}
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
- name: ensure directories exist
|
||||
file:
|
||||
path: "{{ item }}"
|
||||
state: directory
|
||||
mode: '0755'
|
||||
loop:
|
||||
- "{{ data_folder }}/radarr"
|
||||
- "{{ media.tv }}"
|
||||
- "{{ media.movies }}"
|
||||
- "{{ downloads.nzb }}"
|
||||
- name: run container
|
||||
docker_container:
|
||||
name: "{{ role_name }}"
|
||||
image: "linuxserver/radarr"
|
||||
networks:
|
||||
- name: external
|
||||
env:
|
||||
"TZ": "{{ tz }}"
|
||||
"PUID": "{{ puid }}"
|
||||
"PGID": "{{ pgid }}"
|
||||
"UMASK": "022"
|
||||
volumes:
|
||||
- "{{ data_folder }}/radarr:/config"
|
||||
- "{{ downloads.nzb }}:/downloads"
|
||||
- "{{ media.movies }}:/movies"
|
||||
ports:
|
||||
- "7878:7878"
|
||||
state: started
|
||||
- name: copy nginx conf
|
||||
template:
|
||||
src: "{{ role_name }}.conf.j2"
|
||||
dest: "{{ data_folder }}/nginx/conf.d/{{ role_name }}.{{ base_domain }}.conf"
|
||||
mode: "755"
|
||||
notify: reload nginx
|
|
@ -1,20 +0,0 @@
|
|||
server {
|
||||
server_name {{ role_name }}.{{ base_domain }};
|
||||
listen 80;
|
||||
return 301 https://$server_name$request_uri;
|
||||
}
|
||||
|
||||
server {
|
||||
server_name {{ role_name }}.{{ base_domain }};
|
||||
listen 443 ssl http2;
|
||||
|
||||
include /etc/nginx/snippets/authelia-endpoint.conf;
|
||||
|
||||
location / {
|
||||
include /etc/nginx/snippets/proxy.conf;
|
||||
include /etc/nginx/snippets/authelia-auth.conf;
|
||||
|
||||
set $upstream http://{{ role_name }}:7878;
|
||||
proxy_pass $upstream;
|
||||
}
|
||||
}
|
|
@ -1,19 +1,19 @@
|
|||
$ANSIBLE_VAULT;1.1;AES256
|
||||
35356537316639386637316365393533643061363734323630393363313237643935666639653963
|
||||
3734376266353938653631323266663139306335646635660a373233663964623335663366333434
|
||||
34386136656530386639646234316238326132616131616632346537613963636637393839613661
|
||||
6366326639643632320a386436316165343166366134633464393461653434323934326238313430
|
||||
39323439306637306134326635323138616337646336653238636539643538613664303764303661
|
||||
39636661353538393532663937396363656664613334383261336664336237356366663334633430
|
||||
36356235383930653835393439373737623036613565313131626462363034303062323662663832
|
||||
66613833613336646633383835653161386363386136663764653734313763383231626434393864
|
||||
63313061346335383933623630396336336561633938613237643238616531343766613734666132
|
||||
32306362616131396266656162653563356137383239616464306662643032623438373764306361
|
||||
32363133626662633435626232653061373831626563323861626635383039613136303632613335
|
||||
61363265316534653033393763646565393330633063323634353932353936303638356433306362
|
||||
65383938306637333765383263653939633964613230613835326630313761323561376162646439
|
||||
62323035323634323766393233326363383364653531306432663263303831623936616139306639
|
||||
64303863386265343165666435363761653464386366636366323261353731643263356635383536
|
||||
66326666616339653731633530663161363933383334376238313637356331663431336433643338
|
||||
64313861306161373538363332663363623131303561373237326436373838393965306663333835
|
||||
3764356534323963303832653964666431626538316361613137
|
||||
30346235333931303864373164626134343138306564323034633139363931653066326263333063
|
||||
6532376231363635613930376137326439306437636433370a643535356131363164373764613531
|
||||
36363735323930306338623164636563626334653532386632303936343737363731323166323530
|
||||
3439353635343236350a663261636633633033396262333164363062396464366135306135386337
|
||||
37333232376531353332373930306462393634386533636363343736646537666665633262633363
|
||||
64373434633963316365306562333765313439366431313234313563376630643931386363383233
|
||||
33363665613937366433643133613565646364303362626433396339313535383166326138313139
|
||||
61616333333530333761393631323461376536363733323764333631346338393166613531666335
|
||||
35373764376434346638356439393964313436366439366363393766643333623165353266386634
|
||||
66326434333165663630326332333061626366356363313538393130356365343738363237653565
|
||||
63613439373930326165326538386566636466306137636336663736333063613238356137346630
|
||||
31643064623563656438613665393332656435636233623265323063366139643937633132656337
|
||||
65326137396134333230616262333337373833663439313635663438396461373130396332316331
|
||||
66613933343365363335653135663237363538353863623534373563626166313034323039396334
|
||||
61383766343264313438353261306233373562343939663232383466336232373865356561316139
|
||||
38316466306531326165343265393262646463626563306363353765343462316534323336356432
|
||||
34373661363562636137393235323839616430376163393362313363626636343064663739313963
|
||||
3361333438346265623738393431346433353436666262396264
|
||||
|
|
Loading…
Reference in New Issue